Bug 26379

Summary: python-bleach new security issue CVE-2020-6816
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Salguero <nicolas.salguero>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero, tarazed25
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: python-bleach-3.1.1-1.mga7.src.rpm CVE: CVE-2020-6816
Status comment:
Bug Depends on: 26445    
Bug Blocks:    

Description David Walser 2020-03-24 23:37:07 CET 
Debian has issued an advisory on March 20:
https://www.debian.org/security/2020/dsa-4643

The issue is fixed upstream in 3.1.2.

Mageia 7 is also affected.
David Walser 2020-03-24 23:37:16 CET

Whiteboard: (none) => MGA7TOO

David Walser 2020-03-24 23:37:25 CET

Status comment: (none) => Fixed upstream in 3.1.2

Comment 1 Nicolas Salguero 2020-03-25 10:34:45 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. (CVE-2020-6816)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6816
https://www.debian.org/security/2020/dsa-4643
========================

Updated packages in core/updates_testing:
========================
python2-bleach-3.1.2-1.mga7
python3-bleach-3.1.2-1.mga7

from SRPMS:
python-bleach-3.1.2-1.mga7.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 7
CVE: (none) => CVE-2020-6816
Whiteboard: MGA7TOO => (none)
Source RPM: python-bleach-3.1.1-1.mga8.src.rpm => python-bleach-3.1.1-1.mga7.src.rpm
Status comment: Fixed upstream in 3.1.2 => (none)

Comment 2 Len Lawrence 2020-03-27 19:50:09 CET 
mga7, x86_64

Examples of use at:
https://www.programcreek.com/python/example/60247/bleach.clean
Downloaded the test_basics.py file from the flasky project but it is not much use without the whole project.  Don't know how to install that from GitHub so I guess this has to be a case of a clean update unless somebody in QA can handle GitHub.

The update runs OK.

CC: (none) => tarazed25

David Walser 2020-04-06 22:39:14 CEST

Depends on: (none) => 26445

Nicolas Salguero 2020-04-07 09:46:56 CEST

CC: (none) => nicolas.salguero
Assignee: qa-bugs => nicolas.salguero

Comment 3 David Walser 2020-04-20 16:06:38 CEST 
Fixed in:
https://advisories.mageia.org/MGASA-2020-0176.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED